-
Docs
-
Label Reference
- access.public
- audit
- command.perform
- crypto.decrypt
- crypto.digest
- crypto.encrypt
- crypto.set_auth_data
- dao.materialize
- deserialize.safe
- deserialize.sanitize
- deserialize.unsafe
- http.session.clear
- job.cancel
- job.create
- job.perform
- jwt.decode
- jwt.encode
- jwt.signature.verify
- log
- rpc.circuit_breaker
- secret
- security.authentication
- security.authorization
- security.logout
- string.equals
- system.exec
- system.exec.safe
- system.exec.sanitize
-
access.public
- Rules
-
missing-authentication
Indicates that a request allows public access - that is, authentication is not always required to make the request.
-
audit
- Rules
-
update-in-get-request
Writes an audit record, i.e. a permanent record of some application activity.
-
command.perform
- Rules
Indicates that an event represents the invocation of command-line command, such as a shell command or a script. Rules that use the
commandscope can match events that are descendants ofcommand.performevent. -
crypto.decrypt
A function that performs decryption.
-
crypto.digest
A function that computes a cryptographic digest (or ‘hash’) of some data.
-
crypto.encrypt
A function that performs encryption.
-
crypto.set_auth_data
A function that sets authenticated data for an encryption operation.
-
dao.materialize
Loads data access objects from the database into memory.
Examples
-
deserialize.safe
Indicates that a function performs deserialization safely.
Examples
- Ruby JSON.parse
-
deserialize.sanitize
Ensures that data is safe and trusted for deserialization, transforming it if necessary, and returning
falseyor raising an exception if it’s impossible to make the data safe.A function with this label can be used to convert untrusted data such as direct user input or HTTP request parameters into trusted data.
Note that this is not the same as ensuring that a parameter satisfies business logic constraints - such as presence or max length. It’s a security check that ensures the data cannot cause harm on deserialization.
To be considered successful, a
deserialize.sanitizefunction must return atruthyvalue.Examples
- Running user-provided YAML through a “safe loader” which discards unsafe syntax such as object class names.
-
deserialize.unsafe
Indicates that a function does not guarantee safe deserialization.
Examples
- Ruby YAML.unsafe_load
- Ruby Marshal.load
- Java javax.jms.ObjectMessage#getObject
-
http.session.clear
Clears the HTTP session. Any previously issued session id becomes invalid.
-
job.cancel
- Rules
-
job-not-cancelled
Cancels execution of a background job.
Examples
-
job.create
- Rules
-
job-not-cancelled
Schedules a background job for execution. Background jobs run in a separate thread or process from the web application request - therefore they do not block the response.
Examples
-
job.perform
- Rules
Indicates that an event represents the invocation of a background job. Rules that use the
commandscope can match events that are descendants ofjob.performevent. -
jwt.decode
- Rules
-
jwt-unverified-signature
Performs decoding of a JWT token.
-
jwt.encode
- Rules
-
jwt-algorithm-none
Performs encoding of a JWT token.
-
jwt.signature.verify
- Rules
-
jwt-unverified-signature
Verifies the signature on a JWT token to ensure that it’s authentic.
-
log
- Rules
-
secret-in-log
Writes a message to the application log.
Examples
-
rpc.circuit_breaker
Indicates that a function provides circuit breaker functionality.
When present, a circuit breaker function is expected to be invoked as a descendant of an RPC client request.
Examples
-
secret
Indicates that a function returns a secret value. A secret is a user password, cryptographic key, authentication token, etc that is used for authentication or other verification.
Personally-identifiable information (PII) does not fall under the scope of the
secretlabel. -
security.authentication
Verifies the identity of an application user.
Returns
truthyif the user identity is confirmed; otherwisefalsey. -
security.authorization
- Rules
-
authz-before-authn
Test whether the current authenticated user has permission to make a web request.
Returns
truthyif the request is allowed; otherwisefalsey. -
security.logout
Logs out an application user.
The function is assumed to be successful regardless of the return value.
-
string.equals
- Rules
-
insecure-compare
Compares two strings for equality.
The function receiver should be a string, and the function should take one argument that is the other string.
Returns
truthyif the strings are equal; otherwisefalsey.Examples
- Ruby String#==
- Java String#equals
-
system.exec
Indicates that a function performs an OS system command.
-
system.exec.safe
Indicates that a function performs an OS system command in a manner which is known to be safe.
-
system.exec.sanitize
Ensures that data is safe and trusted for use as a system command, transforming it if necessary, and returning
falseyor raising an exception if it’s impossible to make the data safe.A function with this label can be used to convert untrusted data such as direct user input or HTTP request parameters into trusted data.
Note that this is not the same as ensuring that a parameter satisfies business logic constraints - such as presence or max length. It’s a security check that ensures the data cannot cause harm when used as a system command.
To be considered successful, a
system.exec.sanitizefunction must return atruthyvalue.Examples
- Ensuring that a user-provided file path is a subdirectory of a known allowed directory.
- Ensuring that a system command string does not have any potential injection or side-effects.
Thank you for your feedback!
